I am looking for the safest way to sanitize user inputs and avoid security risks on a PHP online application.
Until now, I used TRIM + mysqli_real_escape_string in order to clean whitespaces and sanitizing content, as this (string data):
$ca_title = trim(mysqli_real_escape_string($con,$_POST['ca_name']));
Due to the continuous "do not access superglobal $_post array directly" Netbeans advice, I searched about this and found another way of sanitizing that I doubt if makes the same as I was making until now:
$ca_title = filter_input(INPUT_POST, 'ca_name', FILTER_SANITIZE_STRING);
After looking on PHP docs, I must say I don't find much difference between both, and so I can´t decline for the safest method. Could you advise me on this?
Instead of filtering/sanitizing, use mysqli's preprared statements. Those are safe to execute regardless of the content of the parameter, and need no cumbersome and error-prone escaping/un-escaping.